× Docs Platform Dashboard Extensions Applications Building Merchants Sign in

Throttling

The Rehive platform uses throttling to protect against API misuse and ensure all clients experience equal quality-of-service. Throttling errors will always be returned as a 429 response with a throttling specific error message:

{
  "status": "error",
  "message": "Request was throttled: {reason}. Expected available in {time}."
}

The primary throttling types are listed below, but the exact details may vary as a result of Rehive adapting to changing requirements and client usage.

  • General throttling : Applied to endpoints that require authentication to protect against a single user overloading the API.
  • Other throttling : Applied to some endpoints (mostly authentication related) to provide additional protections against misuse.

Across the entire Platform API, there is a global limit of 300 requests per 10 seconds. This is applied per IP.

General throttling

Generally, when dealing with authenticated users, throttling is applied based on the company’s tier. There are 4 tiers that have different throttling rules depending on whether the request is on a user or admin section endpoint. The restricted tier will automatically be applied to a company if their associated billing account is unpaid. In these situations only the “owner” or original creator of the company will still be able to access the API.

New companies, and those within the trial period have a throttling type of limited.

Sustained usage

Name user admin Condition
restricted 0/hour 0/hour Only the company owner can access the API.
limited 3000/hour 6000/hour -
standard 6000/hour 12000/hour -
extended 12000/hour 60000/hour -

Burst usage

In addition to sustained (hourly throttles), The platform API also throttles on requests per minute. These throttles exist to protect against high burst while also allowing some flexibility during abnormally high but short request loads.

Name user admin Condition
restricted 0/min 0/min Only the company owner can access the API.
limited 150/min 200/min -
standard 200/min 400/min -
extended 300/min 1200/min -

Other throttling

The following is a list of endpoints that are throttled in other ways (on top of the general throttling):

Endpoint method burst sustained Condition
/3/auth/login/ POST 6/min 20/hour Same user and company field.
/3/auth/deactivate/ POST 4/min 10/hour Same user and company field.
/3/auth/password/reset POST 4/min 10/hour Same user and company field.
/3/auth/email/verify/resend/ POST 4/min 10/hour Same email and company field.
/3/auth/mobile/verify/resend/ POST 4/min 10/hour Same mobile and company field.
/3/auth/register/ POST 6/min 10/hour Same IP
/3/auth/company/register/ POST 6/min 10/hour Same IP
/3/auth/mfa/authenticators/ POST 6/min 10/hour Same user
/3/auth/mfa/deliver/ POST MFA Challenge deliver 6/min 10/hour Same user

All anonymous endpoints have a flat limit of 20 requests/min per IP.